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How to Bootstrap Anonymous Communication 


Sune K. Jakobsen* and Claudio Orlandi** 


Abstract. We ask whether it is possible to anonymously communicate a large amount of data using 
only public (non-anonymous) communication together with a small anonymous channel. We think this 
is a central question in the theory of anonymous communication and to the best of our knowledge this 
is the first formal study in this direction. 

To solve this problem, we introduce the concept of anonymous steganography: think of a leaker Lea 
who wants to leak a large document to Joe the journalist. Using anonymous steganography Lea can 
embed this document in innocent looking communication on some popular website (such as cat videos 
on YouTube or funny memes on 9GAG). Then Lea provides Joe with a short key k which, when applied 
to the entire website, recovers the document while hiding the identity of Lea among the large number 
of users of the website. Our contributions include: 

— Introducing and formally defining anonymous steganography, 

— A construction showing that anonymous steganography is possible (which uses recent results in 
circuits obfuscation), 

— A lower bound on the number of bits which are needed to bootstrap anonymous communication. 

1 Introduction 

Lea the leaker wants to leak a big document to Joe the journalist in an anonymous waj0. Lea has a way of 
anonymously communicating a small number of bits to Joe, but the size of the document she wants to leak 
is orders of magnitudes greater than the capacity of the anonymous channel between them. 

In this paper we ask whether it is possible to “bootstrap” anonymous communication, in the sense that we 
want to construct a “large” anonymous channel using only public (non-anonymous) communication channels 
together with a “small” anonymous channel. We find the question to be central to the theory of anonymous 
communication and to the best of our knowledge this is the first formal study in this direction. 

To solve this problem, we introduce a novel cryptographic primitive, which we call anonymous steganog¬ 
raphy: the goal of (traditional) steganography is to hide that a certain communication is taking place, by 
embedding sensitive content in innocent looking traffic (such as pictures, videos, or other redundant docu¬ 
ments). There is no doubt that steganography is a useful tool for Lea the leaker: using steganographjH she 
could send sensitive documents to Joe the journalist in such a way that even someone monitoring all internet 
traffic would not be able to notice that this communication is taking place0 

However, steganography alone cannot help Lea if she wants to make sure that Joe does not learn her 
identity, and there is a strong demand for solutions which guarantee the anonymity of whistleblowers (see 
e.g., SecureDropB). 
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® Of course this powerful eavesdropper could try to apply the decoding procedure of the steganographic algorithm to 
the monitored traffic, but combining steganography with cryptography (assume e.g., that Lea knows Joe’s public 
key) it is quite easy to make sure that the message to be steganographically embedded is indistinguishable from 
random. 

^ https://freedom.press/securedrop 





From a high level point of view, anonymous steganography allows Lea to embed some sensitive message 
into an innocent looking docnment, in such a way that someone looking at the entire websit^ (or a large 
portion of it) can recover the original message without being able to identify which of the documents contains 
the message. Unfortunately this is too good to be true, and in Section 3] we prove that it is impossible to 
construct an anonymous steganography scheme unless Lea sends a key (of super-logarithmic size) to Joe. 
The idea is: if the scheme is correct at some point the probability that Joe outputs x has to increase from 
polynomially small to 1. Joe can estimate how each message (sent by any of the users over the non-anonymous 
channel) affects this probability and concludes that the message which changes this probability the most must 
come from Lea. Hence, the messages that causes this increase has to be sent over an anonymous channel. 

To summarize, in anonymous steganography Lea wants to communicate a sensitive (large) message x to 
Joe. To do so, she embeds x in some innocent looking (random) document c which she uploads to a popular 
website (not necessarily in an anonymous way). Then Lea produces some (short) decoding key dk (which is 
a function of c and all other documents on the website - or at least a set large enough so that her identity is 
hidden in a large group of users, such as “all videos uploaded last week”) which she then communicates to Joe 
using an anonymous channel. Now Joe is able to recover the original message x from the website using the 
key dfc, but at the same time Joe has no way of telling which document contains the message (and therefore 
which of the website user is the leaker). In Section [5] we formally introduce anonymous steganography and 
in Section [3] we show how to construct such a scheme. 

Related Work. Practical ways for a leaker to communicate anonymously with a journalist is by using e.g., 
the aforementioned SecureDrop, which uses Tor [DMS04] . However, Tor is not secure against end-to-end 
attacks |DMS04) . Another disadvantage in Tor is that it relies on a network of servers whose only purposes 
is to make anonymous communication possible. This means that countries can, with some success, block Tor 
servers |WL12] and they could make it illegal to host such servers. 

Message In A Bottle [IKV13] is a protocol where Lea can encrypt her message under Joe’s public key, 
embed it in an image using steganography and post the image on any blog. Joe will now monitor all blogs to 
see if someone left a (concealed) message for him. Interestingly |IKVI3) shows that this approach is feasible 
in practice and because Lea can use any blog, it will be costly for e.g. a government to prevent Lea from 
sending the message to Joe. However, in this protocol Joe learns Lea’s identity, which is what we are trying 
to prevent in our work. 

In cryptogenography |BJSWI4IJakl4) a group of users cooperate to allow a leaker to publish a message 
with some reasonable degree of anonymity: here we want that anyone should be able to recover the message 
from the protocol transcript, but no one (even a computationally unbounded observers) should be able to 
determine with certainty the identity of the leaker. In other words in cryptogenography we are happy as 
long as the observer cannot produce evidence which proves with certainty the identity of the leaker (which 
could be used e.g., in a court case). In [BJSW14] the leaker can publish one bit correctly but no observer 
can guess the identity of the leaker with probability more than 44%. In |Jakl4) instead a different setting is 
considered, where multiple leakers agree to publish some information while hiding their identity by blending 
into an arbitrarily large group. The leakers do not need perfect anonymity, but just want to ensure that 
for each leaker, an observer will never assign a probability greater that c to the event that that person is a 
leaker. It is shown that for any e > 0 and sufficiently large n, n leakers can publish _ log(e) — n 

bits, where e is the base of the natural logarithm. Our work is inspired by the model in [Jakl4) . The main 
difference is that we assume the adversary has bounded computational power, so we only need one leaker 
and we get all but negligible anonymity. 

For a survey about anonymity channels, see |DD08) . In |IKOS06) the authors investigated how an 
anonymous channel could be used to implement other cryptographic primitives, but not if it could be used 
to bootstrap a larger anonymous channel. Finally, our positive result is inspired by the clever techniques 


® Intuitively, it is crucial for Lea’s anonymity that Joe can only decode the entire website at once: if Joe had a way 
of decoding single documents (or portions) he would easily be able to pinpoint which document (and therefore 
which user) contains the sensitive message. 
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of Hubacek and Wichs |HW15] to compress communication using obfuscation, and crucially relies on their 
techniques. 

Open problems. Unfortunately our positive result crucially relies on heavy tools such as homomorphic 
encryption and circuit obfuscation, making it very far from being useful in practice. We leave it as a major 
open question to construct such schemes using simpler and more efficient cryptographic tools (perhaps even 
at the price of relaxing the definition of anonymity). 

Other open problems include studying whether the computational complexity for the leaker must depend 
on the size of the anonymity set if the leaker is given a hash of all the documents, and whether it is possible 
to construct more efficient protocols if multiple leakers are leaking to Joe at once. 

2 Definitions 

Notation. We write [x, y] with x < ?/ e N as a shorthand for {x,..., j/} and [x] as a shorthand for [1, x]. 
If X is a vector (ui,..., n„) then v-i is a vector such that (ui,..., Xi_i, _L, t’i+i,... Vn) and (v-i,Vi) = v. A 
function is negligible if it goes to 0 faster than the inverse of any polynomial. We write poly(-) and negl(-) for 
a generic polynomial and negligible function respectively, x S denotes sampling a uniform element x from 
a set S. If A is an algorithm x A is the output of A on a uniformly random tape. We highlight values 
a, P,..., hardwired in a circuit C using the notation C[a, /3,...]. 

Anonymous Steganography. We define an anonymous steganography scheme as a tuple of algorithms 
TT = (Gen, Enc, KeyEx, Dec) wher€@: 

— ek Gen(l^) is a randomized algorithm which generates an encoding key. 

— c -ir- EnCefc(x) is a randomized algorithm which encodes a secret message x £ {0,1}^ into a (pseudoran¬ 
dom looking) document c G {0, 1}^0 

— dk £- KeyEXg^(<,i) takes as input a public vector of documents t £ ({0,1}^)'^, an index i £ [d] such that 
ti = c, and extracts a (short) decoding key dk £ {0,1}®. 

— x' = Decdfc(t) recovers a message x' using the decoding key dk and the public vector of documents t in 
a deterministic way. 

Ho-w to Use The Scheme. To use anonymous steganography, Lea generates the encoding key ek using 
Gen, and then encodes her secret x using EnCefc to get the ciphertext c. She can then upload c to some 
website@ She then waits some time, and chooses the set of documents she is hiding among, for example, all 
files uploaded to this website during that day/week. Lea then downloads all these documents t and finds 
the index i of her own document in this set. Finally she computes dk £- KeyEXg^.(t, *), and uses the small 
anonymous channel to send dk to Joe together with a pointer to t. 

Properties of Anonymous Steganography. We require the following properties: correetness (meaning 
that x' = X with overwhelming probability), compactness (meaning that s < i') and anonymity (meaning 
that a receiver does not learn any information about i). Another natural requirement is confidentiality 
(meaning that one should not be able to learn the message without the decoding key dk), but it is easy to 
see that this follows from anonymity. Formal definitions follow: 

Definition 1 (Correctness). We say an anonymous steganography scheme is q-correct if for all X £N,x £ 
{0, lY',i £ [d\,t_i £ ({0,1}^)'^“^, the following holds 

Pr [Decdfe {{t-i, c)) =x]>q. 

® All algorithms (even when not specified) take as input the security parameter A, and the length parameters £, £', d, s. 
^ In our scheme 1 = 1'. 

® For simplicity we will in this example assume that Lea is using a website where everyone is storing documents that 
are indistinguishable from random. If she is using e.g. YouTube, she would need to use steganography to get an 
innocent looking stegotext, and Lea and Joe should use the inverse program for extracting messages from stegotext 
whenever they download documents from the site. 
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where ek ■<— Gen(l^), c <— EnCefc(x), dk •<— KeyEXgj,((t_i,c),i) and the probabilities are taken over all the 
random coins. We simply say that a scheme is correct when q>l — negl(A). 

Definition 2 (Anonymity). Consider the following game between an adversary A and a challenger C : 

1. The adversary A outputs a message x G {0,1}^ , two indices ig ^ ii € [d], and a vector 

2. The challenger C: 

(a) samples a bit b -(r- {0,1}; 

(b) computes ek •(— Gen(l'’'), ti^ •«— EnCefe(a;) and samples ti^_i^ •<— {0,1}^; 

(c) computes dk KeyEx^j. 

(d) outputs dk A; 

3. A outputs a guess bit g; 

We say tt satisfies anonymity if for all PPT A |Pr[(; = ~ 5 I = negl(A). 

Building Blocks. We will need the following ingredients in our construction: 1) an indistinguishability 
obfuscator [GGH~*~13] C ■<— 0{C) which takes any polynomial size circuit C and outputs an obfuscated 
version C; 2) A compact homomorphic encryption scheme (HE.G, HE.E, HE.D, HE.Eval); 3) A pseudorandom 
function /; 4) A vector commitment scheme (VG.G, VG.G, VG.D, VG.V) which allows to commit to a long 
string X using VG.G, and where it is possible to decomitt to individual bits of x using VG.D. Grucially, the 
proof of correct decomitting for any bit j has size at most polylog in |a:|. In addition, we need that 
the vector commitment scheme is somewhere statistically binding according to the definition of Hubacek and 
Wichs |HW1b) : in a nutshell, this means that when generating a commitment key ck it is possible to specify a 
special position i such that a) any commitment generated using the key ck is statistically binding for the i-th 
bit of X (this property is crucial to be able to verify these commitments inside circuits obfuscated using iO) 
and that b) ck computationally hides the index i. Such a vector commitment scheme can be constructed from 
fully-homomorphic encryption [HW15) . To keep the paper self-contained, all these tools are formally defined 
in the rest of this section. Indistinguishability obfuscation. We use an indistinguishability obfuscator like 
the one proposed in [GGH+13] such that C ■<— 0{C) which takes any polynomial size circuit C and outputs 
an obfuscated version C that satisfies the following property. 

Definition 3 (Indistinguishability Obfuscation). We say O is an indistinguishability obfuscator for a circuit 
class C if for all Cq,Ci G C such that \/x : Cq(x) = C'i(x) and jCol = |Ci| it holds that: 

1. \/C € C,Vx € {0AV,O{C){x) = Cix); 

2. |0(C)| =poly(A|C|) 

3. for all PPT A; 

|Pr[A(0(C'o)) = 0] - Pr[A(C>(Co)) = 1]| < negl(A) 

Homomorphic Encryption (HE). Let (HE.G, HE.E, HE.D) be an IND-GPA public-key encryption scheme 
with an additional algorithm HE.Eval which on input the public key pk, n ciphertexts ci,..., c„ and a circuit 
C : {0,1}" —{0,1} outputs a ciphertext c*, then we say that: 

Definition 4 (Gorrectness - HE). An HE scheme (HE.G, HE.E, HE.D, HE.Eval) is correct for a circuit class 
C if for all C € C 


HE.Dsfe(HE.Evalpfc(C', HE.Epfc(xi),..., HE.Epfc(a;„)) = C{xi,... ,Xn) 

Definition 5 (Compactness - HE). An HE scheme (HE.G, HE.E, HE.D, HE.Eval) is called compact if there 
exist a polynomial s G poly(A) such that the output of HE.Eval(C', ci,..., c„) is at most s bits long (regardless 
of the size of the circuit \C\ or the number of inputs n). 

The first candidate homomorphic encryption for all circuits was introduced by Gentry [GenOO] . Later 
Brakerski and Vaikuntanathan [BVllj showed that it is possible to build homomorphic encryption based 
only on the (reasonable) assumption that the learning with error problem (LWE) is computationally hard. 
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Pseudorandom Functions. We need a pseudorandom function / : {0,1}^ x {0,1}^ —>■ {0,1}. It is well 
known that the existence of one way function (implied by the existence of homomorphic encryption) implies 
the existence of PRFs. 

Somewhere Statistically Binding (SSB) Vector Commitment Scheme. This primitive was intro¬ 
duced by Hubacek and Wichs |HW15] under the name somewhere statistically binding hash, but we think 
that the term vector commitment scheme is better at communicating the goal of this primitive. 

In a nutshell, a Merkle tree (instantiated with a collision resistant hash function) allows to construct a 
vector commitment: the commitment is the root of the tree, and to decommit a single leaf one can simply 
send the (logarithmically many) hashes corresponding to the nodes which are necessary to compute the 
root from the leaf. Unfortunately this only leads to a computationally binding commitment, which leads to a 
problem when verifying these commitments inside a circuit obfuscated using indistinguishability obfuscation. 
The point is, iO only ensures that the obfuscation of two circuits are computationally indistinguishable if the 
two original circuits compute the same function. Therefore computational binding is not enough since there 
exist (even if they hard to find) other inputs which make the verification procedure to accept. A somewhere 
statistically binding commitment has the additional property that when the commitment key is generated, 
an index i is specified as well, and the commitment key “hides” this index i. Now a commitment to x is 
computationally binding for all leaves ^ i and statistically binding for the leaf i. This allows us to (via a 
series of hybrids) use this commitment inside a circuit obfuscated using iO. 

More formally a SSB vector commitment scheme is composed of the following algorithms: 

Key Generation: The key generation algorithm ck VC.G(I^, L, i) takes as input an integer L <2^ and 
index i G [L] and outputs a public key ck. 

Commit: The commit algorithm VC.Ccfe : ({0,1}^'’)^ —>• (0,1}^‘ is a deterministic polynomial time algo¬ 
rithm which takes as input a string x = (xi,... ,xl) G ({0,1}^'’)^ and outputs VC.Cc/c(x) G {0,1}^'. 
Decommit: The decommit algorithm tt •<— VC.Dcfc(x,}) given the commitment key ck, the input x G 
({0,1}^'’)^ and an index j G [L\, creates a proof of correct decommitment tt G {0,1}^** 

Verify: The verify algorithm VC.Vcfe(?/, j, u, tt) given the key ck and y G (0,1}^‘ an integer index j G [T], a 
value u G (0, 1}^'’ and a proof tt G (0, 1}^'', outputs I for accept (that y = VC.Ccfc(x) and Xj = u) or 0 
for reject. 

Definition 6 (Vector Commitment Scheme - Correctness). A vector commitment scheme is correct if 
for any L < 2^ and i,j G [L], any ck ■<— \/C.G{l^, L,i), x G ({0,1}^'=)^, tt ■(— VC.Dcfe(x ,j) it holds that 
VC.Vcfc(VC.Ccfe(x),},Xj,7r) = I. 

Definition 7 (Vector Commitment Scheme - Index Hiding). We consider the following game between an 
attacker A and a challenger C: 

— The attacker M(I'’') chooses an integer L and two indices io ^ ii € \L\; 

— The challenger C chooses a bit b {0,1} and sets ck ■<— VC.G(I^, L, itf). 

— The attacker A gets ck and outputs a guess bit g. 

We say a vector commitment scheme is index hiding if for all PPT A 


Pr[g = 6] 


1 

2 


< negl(A) 


Definition 8 (Vector Commitment Scheme - Somewhere Statistically Binding). We say ck is statistically 
binding for index i if there are no y,u ^ u', tt, tt' such that 


VC.Vcfe(?/,f,u,7r) = VC.Vcfe(?/,f,u',7r') = I 


In [HWI5) it is shown how to construct SSB vector commitments using homomorphic encryption. 
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3 A Protocol For Anonymous Steganography 

We start with a high-level description of our protocol (in steps) before presenting the actual construction 
and proving that it satisfies our notion of anonymity. 

First attempt. Let the encoding key ek be a key for a PRF /, and let the encoding procedure be simply a 
“symmetric encryption” of x using this PRF. 

In this first attempt we let the decoding key dk be the obfuscation of a circuit C'[i, efc, 7 ](t). The circuit 
contains two hard-wired secrets, the index of Lea’s document i G [d] and the key for the PRF ek. It also 
contains the hash of the entire set of documents 7 = H{t). On input a database t the circuit checks if 
■j = H{t) and if this is the case outputs x by decrypting ti with ek. 

Clearly this first attempt fails miserably since the size of the circuit is now proportional to the size of the 
entire database t = d£, which is even larger than the size of the secret message \x\ = £. 

Second attempt. To remove the dependency on the number of documents d, we include in the decoding key 
an encryption a = HE.Epfc(j) of the index i (using the homomorphic encryption scheme), and an obfuscation 
of a (new) circuit C[eA:, 5 / 0 , 7 ](/3), which contains hardwired secrets ek and sk (the secret key for the homo¬ 
morphic encryption scheme), as well as a hash 7 = id(HE.Eval(mux[t], a)), where the circuit mux[t](i) outputs 
ti. The circuit C now checks that 7 = id(/3) and if this is the case computes ti ^ HE.Dsfc(/3) using the secret 
key of the HE scheme, then decrypts ti using ek and outputs the secret message x. When Joe receives the 
decoding key dk, Joe constructs the circuit mux[t] (using the public t) and computes /? = HE.Eval(mux[t], a). 
To learn the secret, he runs the obfuscated circuit on /3. 

In other words, we are now exploiting the compactness of the homomorphic encryption scheme to let Joe 
compute an encryption of the document c = U from the public database t and the encryption of i. Since Lea 
the leaker can predict this ciphertex 1 @, she can construct a circuit which only decrypts when this particular 
ciphertext is provided as input. However, the size of (3 (and therefore C) is proportional to poly(A) + £, thus 
we are still far from our goal 0 

Third attempt. To remove the dependency from the length of the document £, we construct a circuit which 
takes as input an encryption of a single bit j instead of the whole ciphertext. However, we also need to make 
sure that the circuit only decrypts these particular ciphertexts, and does not help Joe in decrypting anything 
else. Moreover, the circuit must perform this check in an efficient way (meaning, independent of the size of 
£), so we cannot simply “precompute” these £ ciphertexts and hardwire them into C. 

This is where we use the vector commitment: we let the decoding key include a (short) commitment 
key ck. We include in the obfuscated circuit a (short) commitment 7 = VC.Ccfe(/3) (where 13 = (/3^,... ,/3^) 
is a vector of encryptions of bits) and we make sure that the circuit only helps Joe in decrypting these £ 
ciphertexts (and nothing else). In other words, we obfuscate the circuit C[ek,sk,ck,j]{(3',TT',j) which first 
checks if VC.Vcfe( 7 , j, ,5', tt') = 1 and if this is the case it outputs the j-th bit of x from the j-th bit of the 
ciphertext t^ ^ HE.D,t.('/3'lF^ We have now almost achieved our goal, since the size of the decoding key is 
poly(Alog(ci^)). 

Final attempt. We now have to argue that our scheme is secure. Intuitively, while it is true that the index 
i is only sent in encrypted form, we have a problem since the obfuscated circuit contains the secret key for 
the homomorphic encryption scheme, and we therefore need a final hx to be able to argue that the adversary 
does not learn any information about i. 

The final modihcation to our construction is to encrypt the index i twice under two independent public 
keys. From these encryptions Joe computes two independent encryptions of the bit tj which he inputs to 
the obfuscated circuits together with proofs of decommitment. The circuit now outputs T if any of the two 
decommitment proofs are incorrect, otherwise the circuit computes and outputs x^ from one of the two 
encryptions (and ignores the second ciphertext). 

® The evaluation algorithm HE. Eva I can always be made deterministic since we do not need circuit privacy. 

Note that the decryption key also contains an encryption of i which depends logarithmically on d, but we are going 
to ignore all logarithmic factors. 

This means that we need to use a symmetric encryption scheme where it is possible to recover a single bit of the 
plaintext from a single bit of the ciphertext. This can easily be done by encrypting x bit by bit using the PRF. 
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Anonymity. Very informally, we can now prove that Joe cannot distinguish between the decoding keys 
computed using indices io and ii in the following way: we start with the case where the decoding key 
contains two encryptions of io (this correspond to the game in the definition with 6 = 0). Then we dehne a 
hybrid game where we change one of the two ciphertext from being an encryption of io with an encryption 
of ii- In particular, since we change the ciphertext which is ignored by the obfuscated circuit, this does not 
change the output of the circuit at all (and we can argue indistinguishability since the obfuscated circuit does 
not contain the secret key for this ciphertext). We also replace the random document with an encryption 
of X with a new key for the PRF. Finally we change the obfuscated circuit and let it recover the message x 
from the second ciphertext. Thanks to the SSB property of the commitment scheme it is possible to prove, 
in a series of hybrids, that the adversary cannot notice this change. To conclude the proof we repeat the 
hybrids (in inverse order) to reach a game which is identical to the definition of anonymity when 6 = 1 . 

The Actual Construction. A complete specification of our anonymous steganography scheme follows. 

Key Generation: On input the security parameter A the algorithm Gen samples a random key ek € {0,1}^ 
for the PRF and outputs ek. 

Encoding: On input a message x € {0,1}^ and an encoding key ek the algorithm Enc outputs an encoded 
message c G { 0 , 1 }^ where for each bit j G [P\, = x^ © fek{j)- 

Key Extraction: On input the encoding key ek, the database of documents t, and index i such that U = c 
the algorithm KeyEx outputs a decoding key dk generated as follows: 

1. For all u G {0,1} run {pku,sky) G- HE.G(1'^) and ^ HE E„fc.. (i). 

2. For all j G [£],u G {0,1} run /3^ = HE.Evalj,t. fmux[t. f],where the circuit mux[t,j](z) outputs 
the j-th bit of the i-th document ; 

3. For all u G {0,1} run VG.G(1''‘, 0) and 7 „ 4 — VC.Ccfe„ (/3i,..., /3^). 

4. Pick a random bit a G {0,1}. 

5. Define the circuit (^[eA:, cr, sfco-, cfco, cfci, 70 , 7 i](/ 3 o, ,5}, ttq, 7 r},j) as follows: 

(a) if(Vu G {0,1} : VG.V?,fe„ ( 7 ^, j,/3{., <)) output HE.Dsfe^(/3;) © fek{j); 

(b) else output T; 

6 . Compute an obfuscation C ■(— 0[Ca) where Ca is a shorthand for the circuit dehned before, padded 
to length equal to max(C, C") (where the circuit C is defined in the proof of security). 

7. Output dk = (j)ko,pki,aQ,ai,cko,cki,C) 

Decoding: On input a decoding key dk and a database of document t the algorithm Dec outputs a message 
x' in the following way: 

1. Parse dk = (pko , pki,ao,ai, cko , cki , C ); 

2. For all j G [i],u G {0,1} run f3l = HE.Evalpfc„(mux[t, j], q;„); 

3. For all u G {0,1} run 7 ^ ^ VC.Ccfe„(/3i,.. -.Pi). 

4. For all j G [£],u G {0,1} compute tt^ <-VG.Dcfe„((/3i,... ,/3^), j); 

5. For all j G [£] output {x'y ^ C(/3^,/3{,tt;),tt}, j); 

Theorem 1. If a) f is PRF b) (VC.G, VC.C, VG.D, VG.V) is a vector commitment scheme satisfying Defini¬ 
tions 00 and[a cj (HE.G, HE.E, HE.D, HE.Eval) is a homomorphic encryption scheme satisfying Definition^ 
and 0 and d) O is an obfuscator for all polynomial size circuits satisfying Definitions^ then the anonymous 
steganography scheme (Gen, Enc, KeyEx, Dec) satisfies Definitions\^ and\^ 

Proof. Correctness (Definition [T]). Correctness follows from inspection of the protocol. In particular, for 
each bit j G \P\ it holds that 

C[l3i,fi{,T^i,Tv{,j)) = C[ek,a,sk^, cko , cfci, 70 , 71 ](/3^, /3{,tt^, tt}, j) 

thanks to Definition [3] (Bullet 1). It is also true (thanks to Definition 0) that Vrt G {0,1} the ciphertext fif 
is such that 

HE.Dsfe„(/3^) = mux[t,j](HE.Dsfc„(Q;„)) = mux[t,j](z) = 

Note that we consider HE.Eval to be a deterministic algorithm. This can always be achieved by fixing the random 
tape of HE.Eval to some constant value. 
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Now, since © fek{j) it follows that the output z of C ^ © is either © or x© Finally, the circuit only 

outputs © if G {0,1} s.t. VC.V/ife^(7„, j,/3^,7r^) = 0. But since 

cK ^ VC.G(1\ 0), 7. ^ VC.Qfe„ (/3i,..., /3^), < ^ VC.D,fe„ {{Pipi),j) 

then the probability that C (and therefore Dec) outputs © is 0 thanks to Definitional 

Anonymity (Definition [^. We prove anonymity using a series of hybrid games. We start with a game 
which is equivalent to the definition when 6 = 0 and we end with a game which is equivalent to the definition 
when 6=1. We prove at each step that the next hybrid is indistinguishable from the previous. Therefore, 
at the end we conclude that the adversary cannot distinguish whether 6 = 0 or 6 = 1. 

Hybrid 0. This is the same as the definition when 6 = 0. In particular, here it holds that (ooiOfi) •<— 

(HE.Epfc;,(*o), HE.Epfej(zo)). 

Hybrid 1. In the first hybrid we replace ai-a with ai-a- ■(— HE.Epfe,^_^ (©). Note that the circuit C[ek, a, sk„,ckQ, cfci, 70,7i](') 
does not contain the secret key ski-a-, therefore any adversary that can distinguish between Hybrid 0 and 
1 can be turned into an adversary which breaks the IND-CPA property of the HE scheme. 

Hybrid 2. In the previous hybrids 67 is a random string from {0,1}^. In this hybrid we replace with an 
encryption of x using a new PRF key ek'. That is, for each bit j G [^] we set = x^ © fek'{j)- Clearly, any 
adversary that can distinguish between Hybrid 1 and Hybrid 2 can be used to break the PRF. 

Hybrid 3.(r, p). We now define a series oi2{l-\-l) hybrids indexed by r G [0,£], p G {0,1}. In Hybrid 3.(r, p) 
we replace the obfuscated circuit with the circuit C"[t, efc, efc', cr, sfco: c/cq, cfci, 70,7i](/3o,/3(, ttq, 7r(, j) de¬ 

fined as 

1. if(3u G {0,1} : yCMukAlu^j^PlK) = 0) output © 

2. else if(j > r) output HE.Ds/c„ (/?(,) © fek{j); 

3. else output HE.Dsk^.^{P'l-l ® fek'{j)] 

We use C!^ as a shorthand for a circuit defined as above which is padded to length max(C', C). 

In addition, we also replace the way the keys for the vector commitment schemes are generated. Remember 
that in the previous hybrids 

VuG{0,l} cfcu ^ VC.G(1^,£,0) 

which are now replaced with 

VuG{ 0,1} cfcu ^ VC.G(I'^, £, t + p). 

From inspection it is clear that the circuit obfuscated in Hybrid 3.(0.0) computes the same function as 
the circuit obfuscated in Hybrid 2 (since j is indexed starting from 1 we always have j > t and the branch 
(3) is never taken), and they are therefore indistinguishable thanks to Definition [3] (Bullet 3). 

Next, we argue that Hybrid 3.(r, 0) is indistinguishable from Hybrid 3 .(t, I) for all r G [P\. In those 
hybrids the obfuscated circuit is exactly the same, and the only difference is in the way the commitment 
keys cko,cki are generated. In particular, the only difference is the index on which the keys are statistically 
binding. Therefore, any adversary who can distinguish between 3.(r, 0) and Hybrid 3 .(t, 1) can be used to 
break the index hiding property (Definition [7]) of the vector commitment scheme. 

Finally, we argue that Hybrid 3.(r, 1) is indistinguishable from Hybrid 3 .(t + 1,0). First we note that the 
commitment keys cfco, cki are identically distributed in these two hybrids i.e., in both hybrids 

Vu G {0,1} 4-VC.G(I'^, £, T + 1) 

The only difference between the two hybrids is what circuits are being obfuscated: in Hybrid 3 .(t, 1) we 
obfuscate C!^ and in Hybrid 3.(r + 1, 0) we obfuscate We now argue that these two circuits give the 

same output on every input, and therefore an adversary that can distinguish between Hybrid 3 .(t, 1) and 
Hybrid 3 .(t + 1, 0) can be used to break the indistinguishability obfuscator. 

It follows from inspection that the two circuits behave differently only on inputs of the form (/3 q , /3(, ttq , 7r(, r© 

1). On input of this form: 
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— C'^ (since j = t + 1> t) chooses branch ( 2 ) and outputs 

- C',+i (since j = T + l= T + l) chooses branch (3) and outputs 

Now, the statistically binding property of the vector commitment scheme (Definition E]) allows us to conclude 
that there exists only one single pair (/3 q,/3i) for which C'^ and Cr+i do not output _L (remember that in 
both hybrids the commitment keys cfco,cfci are statistically binding on index r + 1 ), namely the pair 

Vu e {0,1} fii = HE.Evalpfc„ (mux[t, r + 1], 

which decrypts to the pair (since we changed ai-a- in Hybrid 1), which in turns were defined as 

(since we changed in Hybrid 2) 


® fekij),X^ © fek'ij)) 

which implies that Xq = xj and therefore the two circuits have the exact same input output behavior. 

This concludes the technical core of our proof, what is left now is to make few simple changes to go from 
Hybrid 3.(£, 0) to the same game as Definition [5] when 6=1. 

Hybrid 4. In this hybrid we replace the obfuscated circuit with 

C[ek', a', skcr',cko, cfci, 70 , 7 i](-) 

where a' = 1 — cr. It is easy to see that the input/output behavior of this circuit is exactly the same as 
C'l (since Vj € [i] : j ^ i the circuit C'g always executes branch 3) and therefore an adversary that can 
distinguish between Hybrid 4 and Hybrid 3.(.^,0) can be used to break the indistinguishability obfuscator. 
Hybrids 5, 6, 7. In Hybrid 5 we change the distribution of both commitment keys cko, cki to VC.G(1''', i, 0) 
(whereas in Hybrid 4 they were both sampled as \/C.G{l^,£,£ + 1)). Indistinguishability follows from the 
index hiding property. In Hybrids 6 we replace ti^ with a uniformly random string in {0,1}^ (whereas in the 
previous hybrid it was an encryption of x using the PRF / with key ek). Since the obfuscated circuit no 
longer contains ek we can use an adversary which distinguishes between Hybrids 5 and 6 to break the PRF. 
In Hybrid 7 we replace ai-^i (which in the previous hybrid is an encryption of ig) with an encryption of ii. 
Since the obfuscated circuit no longer contains = ska- we can use an adversary which distinguishes 

between Hybrids 6 and 7 to break the IND-CPA property of the encryption scheme. Now Hybrid 7 is exactly 
as the definition of anonymity with 6=1 with a random bit a' = 1 — a (which is distributed uniformly at 
random) and a random encoding key ek'. This concludes therefore the proof. 

□ 


Our theorem, together with the results of [HW15) implies the following. 

Corollary 1. Assuming the existence of homomorphic encryption and indistinguishability obfuscators for 
all polynomially sized circuits, there exist an anonymous steganography scheme. 

4 Lower Bound 

In this section we show that any (correct) anonymous steganography scheme must have a decoding key of 
size bigger than 0(log(A)). Since the decoding key must be sent over an anonymous channel, this gives a 
lower bound on the number of bits which are necessary to bootstrap anonymous communication. 

To show this, we find a strategy for Joe that gives him a higher probability of guessing the leaker than 
if he guessed uniformly at random. 
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Our lower bound applies to a more general class of anonymous steganography schemes than defined 
earlier, in particular it also applies to reactive schemes where the leaker can post multiple documents to the 
website, as a function of the documents posted by other users. 

We define a reactive anonymous steganography scheme as a tuple of algorithms tt = (Enc, KeyEx, Dec) 
where: 

— (tkyStatCj) <r- Er\Cek{x,t'^~^, statcj-i) is an algorithm which takes as input a message x € { 0 , 1 }^ , a 
sequence of documents (which represents the set of documents previously sent) and a state of the 
leaker, and outputs a new document tk € { 0 , 1 }^, together with a new state. 

— dk <r- KeyEXg^(t'^, state) is an algorithm which takes as input a transcript of all documents sent and the 
current state of the leaker and outputs a decryption key dk G { 0 , 1 }'*. 

— x' — Decdkit'^) in an algorithm that given transcript t‘^ returns a guess x of what the secret is in a 
deterministic way. 

To use a reactive anonymous steganography scheme, the leaker’s index i is chosen uniformly at random 
from { 1 ,... ,n} where n is the number of players. For each k from 1 to d we generate a document tk- If 
k ^ i mod n we let tk {0,1}^. This corresponds to the non-leakers sending a message. When k = i 
mod n we define {tk, statej) •<— EnCefe(a:, statej-i), where t^~^ = (ti,... ,tk-i)- Then we define dk •<— 
KeyEXg;.^, state) and x' = DeCdk{t‘^)- Here dk is the message that Lea would send over the small anonymous 
channel llj 

The definition of ^-correctness for reactive schemes is the same as for standard schemes, but our definition 
of anonymity is weaker because we do not allow the adversary to choose the documents for the honest users. 
This implies that our lower bound is stronger. 

Definition 9 (Correctness). A reactive anonymous steganography scheme is g-correct if for all X and x G 
{0, we have 

Pr [Decdfe =x] > q. 

where t and dk is chosen as above and the probability is taken over all the random coins. 

Definition 10 (Weak Anonymity). Consider the following game between an adversary A and a challenger 
C 

1. The adversary A outputs a message x G {0,1}^ ; 

2. The challenger C samples random i G [n], and generates t‘^,dk as described above 

3. The challenger C outputs t‘^, dk 
4- A outputs a guess g; 

We say that an adversary has advantage e(A) if |Pr [(7 = f] —> e(A). We say a reactive anonymous 
steganography scheme provides anonymity if for any adversary, the advantage is negligible. 

In the model we assume that the non-leakers’ documents are chosen uniformly at random. This is realistic 
in the case where we use steganography, so that each tk is the result of extracting information from a larger 
file. We could also define a more general model where the distribution of each non-leaker’s documents tk 
depends on the previous transcript. The proof of our impossibility results works as long as the adversary 
can sample from Tk\x'‘~^=t’’-^,i^k mod n in polynomial time. Using this general model, we can also model 
the more realistic situation where the players do not take turns in sending documents, but at each step only 
send a document with some small probability. To do this, we just consider “no document” to be a possible 
value of tk- 

We could also generalise the model to let the leaker use the anonymous channel at any time, not just 
after all the documents have been sent. However, in such a model, the anonymous channel transmits more 
information than just the number of bits send over the channel: the times at which the bits are sent can 
be used to transmit information [IWlOj . For the number of bits sent to be a fair measure of how much 

Note that a “standard” anonymous steganography scheme is also a reactive anonymous scheme. 
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information is transferred over the channel, we should only allow the leaker to use the channel when Joe 
knows she would use the anonymous channel^, and the leaker should only be allowed to send messages from 
a prefix-free code (which might depend on the transcript, but should be computable in polynomial time for 
Joe). Our impossibility result also works for this more general model, however, to keep the notation simple, 
we will assume that the anonymous channel is only used at the end. 

Finally, we could generalise the model by allowing access to public randomness. However, this does not 
help the players: as none of the players are controlled by the adversary, the players can generate trusted 
randomness themselves. 

We let T' = (T(,..., T^) denote that random variable where each T/ is uniformly distributed on {0,1}^. 
In particular T'\rpik^ik is the distribution the transcript would follow if the first k documents are given by 

and all the players were non-leakers. We let dk' be uniformly distributed on {0,1}'*. Joe can sample from 
both and dk' and he can compute Dec. His strategy to guess the leaker given a transcript t will 

be to estimate Pr(DeCdfc'(T') = a:|T'^ = for each k < d. That is, given that the transcript of the first 
k documents is and all later documents is chosen as if the sender was not a leaker and the anonymous 
channel just sends random bits, what is the probability that the result is x? He can estimate this by sampling: 
given he randomly generates t‘^ and dk, and then he computes Dec of this extended transcript. 

Joe will now consider how each player affects these probabilities, given by Pr(DeC(ifc/(T') = x\T'^ = t^). 
Intuitively, if these probabilities tends to be higher just after a certain player’s documents than just before, 
he would suspect that this player was leaking. Of course, a leaking player might send some documents that 
lowers Pr(DeC(i/c'(T') = x\T'^ = t^) to confuse Joe, so we need a way to add up all the changes a players 
does to Pr(Dec£ifc'(T') = x\T'^ = t^). The simplest idea would be to compute the additive difference 

Pi{DeCdk'{T') = xlT"^ = - Pr(DeCdfc'(T') = x\T"^-^ = 

and add these for each player. However, the following example shows that this strategy does not work in 
general. 

Example 1. Consider this protocol for two players, where one of them wants to leak one bit. We have s = 0, 
that is dk is the empty sting and will be omitted from the notation. First we define the function Dec. This 
function looks at the two first documents. If none of these are 0^, it returns the first bit of the third document. 
Otherwise it defines the leader to be the first player who send 0^. Next Dec looks at the first time the leader 
sent a document different from 0^. If this number represents a binary number less than ^ • 2^, then Dec 
returns the last bit of the document before, otherwise it outputs the opposite value of that bit. If the leader 
only sends the document 0^ the output of Dec is just the last bit sent by the other player. 

The leaker’s strategy is to become the leader. There is extremely small probability that the non-leaker 
sends 0^ in his first document, so we will ignore this case. Otherwise the leaker sends 0^ in her first document 
and becomes the leader. When sending her next document, she looks at the last document from the non¬ 
leaker. If it ended in 0, Joe will think there is 90% chance that 0 it is output and 10% chance that the output 
will be 1, and if it ended in 1 it is the other way around. If the last bit in the non-leakers document is the 
bit the leakers wants to leak, she just sends the document 0^“^1. To Joe, this will look like the non-leaker 
raised the probability of this outcome from 50% to 90% and then the leaker raised it to 100%. Thus, Joe 
will guess that the non-leaker was the leaker. 

If the last bit of the previous document was the opposite of what the leaker wanted to reveal, she will 
“reset” by sending 0^. This brings Joe’s estimate that the result will be 1 back to 50%. The leaker will 
continue “resetting” until the non-leaker have sent a document ending in the correct bit more times than he 
has sent a document ending in the wrong bit. For sufficiently high d, this will happen with high probability, 
and then the leaker sends 0^1. This ensures that Dec(T) gives the correct value and that Joe will guess that 
the non-leaker was the leaker. 

If the leaker wants to send many bits, the players can just repeat this protocol. 

That is, there should be a polynomial time algorithm that given previons transcript and previous messages over 

the anonymous channel decides if the leaker sends a message over the anonymous channel. 
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Obviously, the above protocol for revealing information is not a good protocol: it should be clear to Joe 
that the leader is not sending random documents. 

As the additive difference does not work, Joe will instead look at the multiplicative factor 

Vr{DeCdk'{T') = x\T'^ =t'^) 

Py{DeCdk'{T') = x\T'>^-^ = ' 


Definition 11. For a transcript t the multiplicative factor of player j over the time interval 

[ko, ki] is given by 


w4[fco,fci](i,0 


n 

[fco.fcl]n(j+nN) 


Pi{DeCdk'{r) = x\T"^ 
Pr(Decdfc'(T') 


f^)) 

tk-iy 


We also define 




n 

[fcoAi]\(i+"N) 


Pr(DeCdfc,(T') =x|T"= 
Pr(Decdk'iT') = x\T'>^-^ 


For fixed ko and non-leaking player j the sequence 


t’^) 


^/ijfeo.fco] (^)l • • • 

is a martingale. Furthermore, if we consider the first ki — 2 documents to be fixed and player 1 sends a 
document at time fci — 1 and player 2 at time ki, then player I’s document can affect the distribution of 

but no matter what document tk-i-i player 1 sends, 

w/2,[feo.fci](^0lT'*^i-i=i*^i-i 

will have expectation 

mf2,[koM-i]it’'"~^)- 

Similar statements holds for the additive difference, but the advantage of the multiplicative factor is that it 
is non-negative. This, together with the fact that it is also a martingale, implies that it does not get large 
with high probability. 


Proposition 1. For j and ko,ki we have: 

Proof. For k ^ j mod n we have rnfj ^i^gj^^^ft) = w/j for any t so the statement is trivially 

true. For k = j mod n it follows from Bayes’ Theorem. □ 

Proposition 2. For fixed x an random T there is probability at most ^ that there exists j ^ i and ko such 
that TO/j,[feo,d](r) or TO/_ijfco,d]('r) is at least 

Proof. For fixed ko, and non-leaker j we have E [mfj ,lko,d\{T)) = 1. As 

w/j.[fco,d](f) > 0 


this implies that 

> !^|T) < A 

Similarly for mf-i^[ko,d]- We have 

(t) = 'fnfj^[ko-i,d]it) 

if player j does not send the fco’th document, so for fixed t there are only d different values (not counting 1) 
of rn/j [fcp (t) with j ^ i and ko < d. By the union bound, the probability that one of the m/,-£;](t)’s or 
one of the rnf-i^[ko,d]{tys are above ^ is at most □ 
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By sampling T"^\']^ik^fk and dk' Joe can estimate Pr(DeCdfc/(T') = x\T'^ = with a small additive 
error, but when the probability is small, there might still be a large multiplicative error. In particular, Joe 
can only do polynomially many samples, so when Pr(DeCdfc/(T') = a;|r'^ = t^) is less than polynomially 
small Joe will most likely estimate it to be 0. This is the reason that anonymous steganography with small 
anonymous channel works at all: we keep Pr(DeCdfc '(^0 = exponentially small until we use the 

anonymous channel. Instead, the idea is to estimate the multiplicative factor starting from some time ko 
such that Pr(DeCdfc/(T') = a;|r'^ = t^) is not too small for any k > ko. The following proposition is useful 
when choosing ko and choosing how many samples we make. 

Proposition 3. Assume that Joe samples log (^) times to estimate PriDeCdk'iT') = x\T'^ = t^). 

//Pr(DeC(ife/(T') = x\T'^ = t^) > there is probability at least 1 — ^ that his estimate will be in 

the interval 

[(1 - 1) Pr(DeCdfe,(T') = x\T"^ = (1 + Pr(Dec,fc,(T') = x\T"^ = t'=)] 

Proof. Follows from the multiplicative Chernoff bound. □ 

Definition 12. In the following we say that Joe’s estimate of Pr(Decdfe'(T0 = x\T'^ = t^) is bad if 
Pr(Decdfe'(r') = x\T'^ = t^) > 2 ^+-rdP estimate is not in the interval 

[(1 - l)Pr(DeCdfc,(7’') = = t% (1 + 1 ) Pr(DeCdfc^ (T') = x\r’^ = t% 

Now we are ready to prove the impossibility result. 

Theorem 2. Let be e a function in A such that - is bounded by a polynomial, and let tt be a reactive 
anonymous steganography scheme with s(X) = 0(log(A)), £' > s + 7 +2 log 2 ((i) — 2 log 2 (e) that succeeds with 
probability at least q{X). Now there is a probabilistic polynomial time Turing machine A that takes input t 
and X and outputs the leaker identity with probability 

Proof. Let tt be a reactive anonymous steganography scheme. We assume that for random T' and dk' the 
random variable DeCdk'iT') is uniformly distributee^ on {0,1}^ and we will just let Joe send 0^ in the 
anonymity game. 

Let mo = Consider a random transcript t. If for some fco and some non-leaker j we have ^ 

or mf_i^[ko.d] > ^ we set F; = 1 . 

First Joe will estimate Pr(DeCdfe/(T') = 0^ |T'^ = for all k using 

3-2"+9ci4 /4d 

samples for each k. Set E = 1 ii at least one of these estimates is bad. In all other cases, E = 0. By the 

above propositions and the union bound, Pr(i? = 1) < e(A). 

Now let ko be the smallest number such that for all k > ko Joe’s estimate of Pr(DeCdfe/(r') = 0^ |T'^ = 

2 

is at least ■ The idea would be to estimate the multiplication factors m/j but the problem 

is that Pr(Decdfe'(T') = = t^°) could be large (even 1) even though Pr(DeCdfc'(T') = = 

^feo-l) 

is small, so the players might not reveal any information after the ko — I’th document. Thus, Joe 

If this is not the case, we can define a reactive anonymous scheme if where this is the case: just let X' be uniformly 
distributed on {0,1}^ , let Enc(a;, t*, state) = Enc(a; © X',1*°, state) and Decdj;(t) = X' © Decdfe(t), where © is 
bitwise addition modulo 2. To use if we would need (! bits of public randomness to give us X'. To get this, we can 
just increase I by £' and let X' be the last (! bits of the first document. 
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needs to include the ko — I’th document in his estimate of the multiplication factors, but his estimate of 
Pr(DeCdfe/(T') = ^ might be off by a large constant factor. To solve this problem, we define 


mfj = 


^/j,[feo + l,d] 
'^fj,[ko + l,d] 


Pr(Dec^,,(T')^0^ 






a j ^ko-1 
if j = fco - 1 


mod n 
mod n 


that is, we pretend that Pr(DeCdfc/(r') = 0^ |T'^“ = = (1 — ^ ”^/i,[fco,d]- We 

define m/_i the similar way. Joe’s estimate of Pr(Dec(r) = less that ^^+ 7 ^^ , otherwise fco 

would have been lower (here we are using the assumption h > s + 7 + 21og2(d) — 21og2(e). Without this, ko 
could be 1). Thus, if this estimate it not bad we must have 


Pr(DeCdfc^(T') = < (1 - 

So if £1 = 0 then mfj < mfjjko,d] < Similar for mf-i. 

li E = 0 then mfj < ^ for all j i and mf-i < Furthermore, as all Joe’s estimate are good, his 

estimate of mfj is off by at most a factor (l — ^ < 2. Now we define Joe’s guess: if exactly one of his 

estimated m/j’s are above mo he guesses that this player j is the leaker. Otherwise he chooses his guess 
uniformly at random from all the players. There are two ways Pr(DeCdfc'(T0 = \T'^ = t^) can increase as 

k increase^: by the leaker sending documents or by a non-leaker sending documents. In the cases where 
E = 0 and Joe’s estimate of mfi is less than mo we know that the contribution from the leaker’s documents 
is a factor less than 2mo. As £1 = 0 we also know that the total contribution from all the non-leakers is at 
most a factor So when only dk' has not been revealed to Joe we have 


2 2 

Pr(Dec,.,(T) = A|T = t) < ^^2mo^ = = 2^ 

As the only randomness left to be revealecf^ is dk' which is uniformly distributed on a set of size 2“'*, we 
know that 

Fi{Decdk'iT) = 0^'\T = t) 

is a multiple of 2“®. This implies 

Pr(DeCdfc'(T) = 0^'|T = t) = 0 

In other words, if DeCdk{T) = 0 and E = 0 then A must output i. Furthermore, in all other cases where 
E = 0 Joe will either guess the leaker correctly (because Joe’s estimate of mfi is sufficiently high) or guess 
uniformly among all the players. The probability that Joe is correct is now 


Pr (5 = i) > q + - - - — Pr{E = I) > g -|- - - - — e. 

n n 

□ 

Notice that we cannot do better than q + . The players could use a protocol where with probability 

q the leaker reveals herself and the information and otherwise no-one reveals any information. This protocol 
succeeds with probability g, and when is does, Joe will guess the leaker. With probability I — g it does not 
succeed, and Joe has probability ^ of guessing the leaker. In total Joe will guess the leaker with probability 
g + Finally we can conclude that: 

If we allow the leaker to send anonymous bits before the end of the open communication, this is a third way 
Pr(DeCd/;/(£') = 0^ \T''° = t*’) can increase. However, if the times where the anonymous channel is used are 
predictable by Joe, he can still sample as if the anonymous bits where random. This way, each anonymous bits 
makes Pr(Dec,ifc/(r') = 0^ |r'*’ = t*’) increase by at most a factor 2. If the leaker can only send s anonymous bit in 
total this only moves a factor 2 increase in Pr(DeC(jj;/(r') = 0^ |r'*’ = t*) from a later point in the proof to here. 
Here we are using that Dec is deterministic. However, allowing it to be non-deterministic does not help: we could 
just increase i and let Dec use the extra bits in each document as randomness instead of using a random tape. 
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Corollary 2. If tt is a reactive anonymous steganography scheme with s = 0(log(A)), d polynomial in A 
and —>• oo that ensures weak anonymity, then the probability of correctness q tends to 0 as A —>• oo. 

Proof. Let tt be as in the assumption and define 


. « + 7+21og2(rf)-<' . 

e = max(A ,2 2 ) 


By assumption, s = 0(log(A)), log(d) = 0(log(A)), and ^ oO: so e —>• 0. The parameters satisfy the 

assumptions in Theorem [2] so there is an adversary that can guess the leaker with probability 


1 — q 1 n — 1 1 q — 2e 

q-\ -e= -H- q-e> - + — 5 —■ 

n n n 2 2 


As TT ensures anonymity, must be negligible and as e —?> 0 we must have q —>■ 0. 


□ 
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